Private npm Registry

Table of Contents

Private npm from Nodejitsu is a way of easily creating and installing packages from your own personal npm registry. This allows to you to create private packages while still falling back to the public registry for every other package.

Provisioning the add-on

Private npm can be attached to a Heroku application via the CLI:

$ heroku addons:create private-npm --app [your-app]

Plans (private-npm:[plan]) can be any one of: iron, steel, bronze,
silver, gold, platinum, or diamond.

We provide extra commandline arguments if you want to use them. If you
want to pick the name of your subdomain, and use your regular public npm user,
you can pass them in, otherwise, we will generate them for you.

Configure the npm CLI

Just like the public registry, the npm CLI program is what you’ll use to install, publish and otherwise interact with npm modules. Nodejitsu Private npm has three changes in the configuration to your npm CLI client:

Every request requires authentication: This means that users you have not authorized cannot download packages from your Private npm. Since this is not the default behavior of the public npm you need to set:

$ npm config set always-auth true

Be strict about SSL: We improved our SSL experience, now our Private npm registry supports multi-level wildcard certificate issued by DigiCert and serves https://*.registry.nodejitsu.com, so you’ll need to set the following to your npm config:

$ npm config set strict-ssl true
$ npm config set ca ""

Login & start making requests against your Private npm

Requests can be made against your Private npm in two ways:

Set the registry for all requests: This means that every request will hit your private registry

We recommend that you set the registry for all requests to avoid any accidental publishes of private modules to the public registry. Since all new publishes go by default to your Private npm registry when you need to publish a new public npm package you can explicitly set the --reg flag:

Log in to the Web Interface

Tip: Publish modules using publishConfig

The publishConfig in your package.json does the following (from the npm documentation):

This is a set of config values that will be used at publish-time. It’s especially
handy if you want to set the tag or registry, so that you can ensure that a given
package is not tagged with “latest” or published to the global public registry by default.

Any config values can be overridden, but of course only “tag” and “registry” probably
matter for the purposes of publishing.

The benefits of using publishConfig is that it avoids accidental publishes to the public registry due to user error. Take for example a developer on your team who has not properly configured their machine by running npm config set registry or using the --reg flag. That command would send your code public. By using the publishConfig property you avoid that because it is part of your application.

Using with Heroku buildpacks

If you already have a Heroku app this is simple. If not, why don’t you checkout their getting started documentation. First (just like before) we recommend you create a specific deploy user for your private npm registry first. This allows you to separate access control from the personal accounts of the developers on your team.

The publishConfig in your package.json does the following (from the npm documentation):

This is a set of config values that will be used at publish-time. It’s especially
handy if you want to set the tag or registry, so that you can ensure that a given
package is not tagged with “latest” or published to the global public registry by default.

Any config values can be overridden, but of course only “tag” and “registry” probably
matter for the purposes of publishing.

What happens if I need to change my password on the public npm registry?

You will need to resync your new password with your Private npm registry. Youc an do this by: